Spider-Man No Way Home Fans, This Crypto Malware Could Spoil Your Holiday
A new crypto-malware is taking advantage of the popularity of “Spider-Man: No Way Home”, the latest installment of the series. The movie recently premiered worldwide and in a couple of days smashed every expectation in terms of revenue as it recorded over $250 million worldwide in its first weekend.
The excitement generated by the newest Marvel movie was leveraged by bad actors, according to a report by ReasonLabs, a cybersecurity company. Dubbed the “Spier-Miner”, this malware was created to “lure victims” to a Torrent file with an alleged copy of “No Way Home”.
A torrent, usually downloaded from platforms such as ThePirateBay, is a file shared by many users across the world. Its decentralized nature allows this type of digital documents to bypass censorship, national security organizations, for the benefit or detriment of its users.
Reason Security identified the file as “spiderman_net_putidmoi.torrent.exe” which stands for “spiderman_no_wayhome.torrent.exe” when translated from Russian. Victims of this crypto-malware will experience the following if they download the file:
This miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity.
The report further claims the crypto-malware was designed to elude examination. Therefore, its processes are “written with legitimate names”. The malicious software, Reason Security confirmed, can “start a process and inject its embedded resources into another process”.
The target is a folder located on the windows directory. In order to infect and hijack resources from the computer, the malware decompresses files on runtime into the svchost.exe function. Moreover, the malicious software is capable of affecting Microsoft Defender, the most common use anti-virus for Windows computers.
The program starts two powershell encoded commands, that adds the following extended exclusions to Microsoft Defender: ignore all folders under the user profile, the system drive (i.e. “c:\\”), and all files with extensions of “.exe” or “.dll”.
Could You Be Mining Crypto Without Knowing It?
It successfully installed the crypto-malware harvests the computer’s power to mine Monero, a privacy coin that operates with fully untraceable transactions. The mining process is maintained active via a file called “oocetcmsrfsmni”.
The report claims it was able to identify the resource responsible for the mining once the svchost was analyzed. On this folder, the crypto-malware injected the “xmrig” mining program, the software that mines Monero, as seen in the image below.
The malicious program is capable of staying hidden from programs such as task manager, Perfmon, Process Hacker, and Process Explorer. As a conclusion, Reason told users the following while advising to always:
Although this malware does not compromise personal information (which is what most users are afraid of when thinking about a virus on their computer), the damage that a miner causes can be seen in the user’s electricity bill. This is real money that they have to pay (…)
As of press time, XMR trades at $205 with a 1.4% loss in the last 24-hours.Source